[j-nsp] anti DDoS in trio MX'es ?
Antti Ristimäki
antti.ristimaki at csc.fi
Thu Dec 1 02:22:10 EST 2011
On 2011-12-01 08:42, sthaug at nethelp.no wrote:
>>> I was reading the release notes for 11.2, and I noticed a new feature:
>>> "Protection against distributed denial of service (DDoS) attacks"
>>
>> While debugging a suspected layer 2 loop issue, we noticed that this
>> feature is implemented and enabled by default in Trio PFE already in
>> 10.4. All related CLI operational and configuration commands are still
>> missing in 10.4, though...
>
> Interesting. Could you say something more about *how* you discovered
> this? How did it affect your traffic?
I discovered it from the PFE shell when searching filter/policer
information and statistics. Found that the DDoS policer statistics can
be found by "show ddos policer stats all" and state with "show ddos
state". On I-CHIP based cards these commands are not available, naturally.
In our case the DDoS policer seems to have policed a rather big amount
of RE-destined traffic during a storm that for some reason wasn't
policed by the lo0 filter. All routing protocols remained stable but
some ICMP or SNMP packets coming through the same PFE were also policed
by the DDoS policer. Anyway, it was a bit surprise that the DDoS policer
is enabled in PFE in 10.4 and no related CLI commands are available..
antti
More information about the juniper-nsp
mailing list